Data Law Insightshttps://www.crowelldatalaw.com
Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discoveryMon, 11 Dec 2017 17:05:37 +0000en-UShourly1https://wordpress.org/?v=4.7.8Comment Period Extended for NIST SP 800-171 Assessment Guidehttp://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/-hITZ-NqUOk/
https://www.crowelldatalaw.com/2017/12/comment-period-extended-nist-sp-800-171-assessment-guide/#respondMon, 11 Dec 2017 17:05:37 +0000https://www.crowelldatalaw.com/?p=2525Less than two weeks after the National Institute of Standards and Technology (NIST) published a draft version of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, on November 28, the National Archives and Records Administration (NARA) announced today that the comment period has been extended to January 15, 2018. This gives interested parties...… Continue Reading

]]>Less than two weeks after the National Institute of Standards and Technology (NIST) published a draft version of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, on November 28, the National Archives and Records Administration (NARA) announced today that the comment period has been extended to January 15, 2018. This gives interested parties an extra three weeks from the original deadline to provide input on what contractors and their customers may use as a guide to assessing future compliance with the security standard and – importantly – the government contracts regulations that incorporate that standard, including DFARS 252.204-7012 and FAR 52.204-21.

]]>https://www.crowelldatalaw.com/2017/12/comment-period-extended-nist-sp-800-171-assessment-guide/feed/0https://www.crowelldatalaw.com/2017/12/comment-period-extended-nist-sp-800-171-assessment-guide/Ninth Circuit: Disclosure of video viewing history constitutes harm sufficient to confer standing in federal courthttp://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/bz4VrCIhleA/
https://www.crowelldatalaw.com/2017/12/ninth-circuit-disclosure-video-viewing-history-constitutes-harm-sufficient-confer-standing-federal-court/#respondMon, 04 Dec 2017 19:16:59 +0000https://www.crowelldatalaw.com/?p=2521The Ninth Circuit Court of Appeals has joined the Third and Eleventh Circuits in ruling that any disclosure of an individual’s online viewing history along with their personally identifiable information confers standing to bring a suit for violation of the Video Privacy Protection Act (VPPA) in federal court. The case, Eichenberger v. ESPN, Inc., Case...… Continue Reading

]]>The Ninth Circuit Court of Appeals has joined the Third and Eleventh Circuits in ruling that any disclosure of an individual’s online viewing history along with their personally identifiable information confers standing to bring a suit for violation of the Video Privacy Protection Act (VPPA) in federal court. The case, Eichenberger v. ESPN, Inc., Case No. 15-35449, concerned ESPN’s alleged practice of disclosing to Adobe Analytics the device serial numbers and viewing history of consumers who used its “WatchESPN Channel” application on Roku streaming devices. Adobe is alleged to have used the information provided by ESPN, in combination with information gathered from other sources, to identify the subscribers and then provide aggregated data to ESPN that was in turn shared with advertisers. The plaintiff alleged that this practice violated the VPPA’s prohibition on knowing disclosure of personally identifiable information of consumers. ESPN attacked plaintiff’s claim on two fronts: first, arguing that he did not have standing because he had not suffered an injury, and second, that even if he had standing, it had not shared his “personally identifiable information.” The district court ruled in his favor on the second point, and the Ninth Circuit took up both issues on appeal.

With respect to the threshold issue of whether the plaintiff had standing to bring a claim based on a bare violation of the statute, the Ninth Circuit ruled that such a violation was sufficient to confer Article III standing. The court distinguished the case from the Supreme Court’s decision in Spokeo, Inc. v. Robins, where the high court ruled that a procedural violation of a statute, without more, did not grant a plaintiff standing to seek redress in federal court. Here, in contrast, according to the Ninth Circuit, ESPN’s alleged conduct violated the substantive provisions of the VPPA—the right to “retain control over their personal information.” In so ruling, the court rejected ESPN’s argument that the VPPA requires an allegation of some harm in addition to the privacy violation.

Plaintiff, however, did not fare so well on the second issue presented in the appeal—whether his Roku device serial number constituted “personally identifiable information” under the statute. The court observed that this term can cover information that can be used to determine a person’s identity, but ultimately concluded that it was not to expansive as to include the serial number of a device, even if a data aggregator could use that number to ferret out an individual’s identity. The court adopted the Third Circuit’s “ordinary person” test, which asks whether an ordinary person could use the information to identify an individual. Concluding that an ordinary person could not use a serial number to identify the owner of the device, the Ninth Circuit affirmed the district court’s dismissal of the action.

This decision automatically confers standing on plaintiffs in the states covered by the Ninth Circuit to bring actions against video content providers who share their personally identifiable information without authorization, even absent some other form of harm. But, it provides some room for those providers to share such information with third parties if an “ordinary person” would not be able to use the information to identify an individual, apparently even if it is disclosed to a third party expressly for the purpose of de-anonymizing it. Internet video content providers located within the Ninth Circuit would do well to review their data-sharing practices and privacy disclosures in light of this decision, particularly given the steep statutory penalties available to consumers for violation of the VPPA.

]]>https://www.crowelldatalaw.com/2017/12/ninth-circuit-disclosure-video-viewing-history-constitutes-harm-sufficient-confer-standing-federal-court/feed/0https://www.crowelldatalaw.com/2017/12/ninth-circuit-disclosure-video-viewing-history-constitutes-harm-sufficient-confer-standing-federal-court/Can You Copyright Infringe Anonymously? Revisited.http://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/BB3oCrTqaKY/
https://www.crowelldatalaw.com/2017/12/can-copyright-infringe-anonymously-revisited/#respondFri, 01 Dec 2017 17:50:46 +0000https://www.crowelldatalaw.com/?p=2515On November 28, 2017, the Sixth Circuit, in a 2:1 decision, ruled on the anonymous copyright infringement case we discussed back in April. The central issue in the case involved whether an adjudicated copyright infringer can remain anonymous. A decision in favor of the infringer could encourage anonymous unlawful speech. A decision in favor of...… Continue Reading

]]>On November 28, 2017, the Sixth Circuit, in a 2:1 decision, ruled on the anonymous copyright infringement case we discussed back in April. The central issue in the case involved whether an adjudicated copyright infringer can remain anonymous. A decision in favor of the infringer could encourage anonymous unlawful speech. A decision in favor of the judgment plaintiff could encourage suits designed only to “out” the name of an anonymous critic.

The Court remanded the case back to the district court to balance the infringer’s anonymity interest against both the judgment plaintiff’s interest in unmasking the infringer and the public’s interest in open judicial proceedings, with a presumption in favor of disclosure of the infringer. In short, the Court held that the infringer’s anonymity was not automatically lost upon his defeat in the litigation … at least under these circumstances.

On remand, the district court should consider the following:

the public’s presumption in favor of disclosure is stronger or weaker depending on the public’s interest in the litigation (e.g., intentional acts, nature of copyrighted material, extent of infringement, reach of infringement)

the judgment plaintiff’s presumption in favor of disclosure is stronger or weaker depending on the plaintiff’s need to unmask the infringer (e.g., ongoing remedy such as permanent injunction)

the infringer may rebut these presumptions by showing that “he engages in substantial protected speech that unmasking will chill”(here, the infringer was an anonymous blogger on other issues besides those in the litigation)

The dissenting judge took a simpler view of the anonymity issue:

Copyright infringement is not protected speech—just like obscenity or fighting words. If Doe’s speech is not protected, then no balancing is required. To the extent that unmasking him here will harm his ability to exercise his right to anonymous speech in the future, that is collateral to the issue before us and therefore not properly considered in this proceeding. I see no need for further analysis and would remand with instructions that the district court reveal Doe’s identity.

]]>https://www.crowelldatalaw.com/2017/12/can-copyright-infringe-anonymously-revisited/feed/0https://www.crowelldatalaw.com/2017/12/can-copyright-infringe-anonymously-revisited/Law Firm Data Security Seminarhttp://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/g77pk1hkeNk/
https://www.crowelldatalaw.com/2017/11/law-firm-data-security-seminar/#respondTue, 21 Nov 2017 22:31:53 +0000https://www.crowelldatalaw.com/?p=2513Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as: How to defend high-demand...… Continue Reading

]]>Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as:

How to defend high-demand data?

Cyber-attack response readiness

What is your ethical obligation regarding data security knowledge and mitigating the risk of a data breach?

]]>https://www.crowelldatalaw.com/2017/11/law-firm-data-security-seminar/feed/0https://www.crowelldatalaw.com/2017/11/law-firm-data-security-seminar/Report on the Autonomous Vehicle Safety Regulation World Congress 2017http://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/D6AxVtKRLjE/
https://www.crowelldatalaw.com/2017/10/report-the-autonomous-vehicle-safety-regulation-world-congress-2017/#respondThu, 26 Oct 2017 14:38:11 +0000https://www.crowelldatalaw.com/?p=2509The big takeaways from The Autonomous Vehicle Safety Regulation World Congress centered on the importance of a federal scheme for AV regulation and the reality of the states’ interest in traditional issues such as traffic enforcement, product liability, and insurance coverage. In keeping with those messages, the World Congress kicked off with NHTSA Deputy Administrator...… Continue Reading

]]>The big takeaways from The Autonomous Vehicle Safety Regulation World Congress centered on the importance of a federal scheme for AV regulation and the reality of the states’ interest in traditional issues such as traffic enforcement, product liability, and insurance coverage. In keeping with those messages, the World Congress kicked off with NHTSA Deputy Administrator and Acting Director, Heidi King, speaking about NHTSA’s goals and interest followed almost immediately with wide participation from the states including California, Michigan, and Pennsylvania, among others.

Deputy Administrator King emphasized NHTSA’s desire to foster an environment of collaboration among all stakeholders, including the states. Ms. King emphasized that safety remains the top priority at NHTSA. NHTSA has provided some guidance, and looks forward to hearing from stakeholders about the best way to support and encourage growth in autonomous vehicles. NHTSA wants to provide a flexible frame work to keep the door open for private sector innovation. It is necessary to build public trust and confidence in the safety of autonomous vehicles, and that can only accomplished by all stakeholders working together.

NHTSA is working on the next version of AV guidance, having already issues its 2.0 version, with an expected release of 3.0 in 2018. The guidelines will remain voluntary, but NHTSA is ready to support entities as they try to implement the voluntary guidance. Working with the states, DOT, OEMs, and other stakeholders, NHTSA hopes to continue to be flexible and allow for rapid changes. Later in the conference lawyers emphasized the importance of compliance with the guidance in minimizing liability particularly in no-fault states such as Michigan.

Dr. Bernard Soriano, deputy director, California Department of Motor Vehicles, similarly confirmed that California’s overarching interest in regulating AV is the safe operation of vehicles on its roadways. In summarizing California’s recent October 11, 2017 release of revised regulations, he emphasized that “change happens fast,” and that the state is pleased to now be close to allowing completely driverless testing. He recognized the federal preemption on the design of the vehicle and its crashworthiness and emphasized the state’s interest in the operation of the vehicles and compliance with state traffic laws.

Dr. Soriano indicated that since AV testing began in California there have been 44 crashes correlated to the number of cars on the road. He noted that most of them had been minor, low speed events usually involving a car with a driver not anticipating the action of the AV which follows the traffic laws and “drives like a grandmother.” Indeed, representatives from New York, Pennsylvania and Michigan agreed on the importance of driver training and emphasized the role of the manufacturer and dealer in offering that training and providing incentives for drivers to learn new systems. As Kara Templeton, director, Bureau of Driver Licensing, Pennsylvania Department of Transportation, pointed out, the state DMVs do not train on cruise control or other features in the car. She also emphasized the need to train non- AV drivers on how to deal with AVs operating with them together on the roadways.

Catherine Curtis, the director of vehicle programs for the American Association of Motor Vehicle Administrators spoke about their work on the Jurisdictional Guidelines for the Safe Testing and Deployment of Highly Automated Vehicles which will propose a framework to ensure consistency among states on the implementation of regulations to encourage innovation and widespread distribution of safety technologies. Importance of SAE terms as a universal definition for consistency ideas for manufacturers on system use and misuse, criminal activity and crash and incident reporting expected release in late February 2018.

On cybersecurity, the speakers made it clear that security issues cross all IT systems, well beyond cars, and that those issues must be addressed regardless of specific legislative activities at the state level. The speakers repeatedly emphasized the need to follow best practices and encouraged white hat efforts to identify vulnerabilities and protect against attacks and other actions with malicious intent.

Panelists also recognized the importance of data and the need to define the ownership of black box information as well as images on cameras and other parameters being tracked by the vehicle. Terrence J. McDonnell, staff sergeant, New York state police, acknowledged that in addition to the data in the vehicle, law enforcement generates its own data at the scene of any accident to emphasize the layers of data at issue in the AV world.

Lawyers predicted significant fights over the production of source code in future product liability cases over potential design defects and posed the question whether juries will be able to understand the complexities of a software design case. Others at the program predicted failure to warn claims would be the first wave of liability cases against manufacturers suggesting the importance of mitigating those risks by the creative use of technology to educate and warn drivers. Other risk mitigation advice at the conference included:

Avoid the temptation to over tout the advantages of the AV technology in promotional activities to avoid misrepresentation claims;

Leverage the dealer network with incentives to educate drivers on the use of new technologies;

Consider the need to educate non-AV drivers as vehicles with varied amounts of AV functionality hit the roads together;

Many of the speakers over the two days conference agreed that the existing product liability framework can adequately address emerging high tech products. For that reason, the speakers coalesced around advising businesses to assume the existing risk utility paradigm for product liability will remain and to design emerging products to meet those traditional tests. That means thinking about whether there are reasonable alternative designs that are technically, economically and practically available and that will reliably enhance overall safety and be accepted by consumers.

]]>https://www.crowelldatalaw.com/2017/10/report-the-autonomous-vehicle-safety-regulation-world-congress-2017/feed/0https://www.crowelldatalaw.com/2017/10/report-the-autonomous-vehicle-safety-regulation-world-congress-2017/Join Us for a Webinar – Tuesday, October 10, 2017 12:00 – 1:00 PM EThttp://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/y4WefjyrSBs/
https://www.crowelldatalaw.com/2017/09/join-us-webinar-tuesday-october-10-2017-1200-100-pm-et/#respondTue, 26 Sep 2017 14:00:23 +0000https://www.crowelldatalaw.com/?p=2507It’s been said that “A lie gets halfway around the world before the truth can even pull its boots on.” In today’s world of online commentary and social media, this is truer than ever. In the cyber-world, you or your company may be accused of selling defective goods, providing poor service, misleading customers, defrauding the...… Continue Reading

]]>It’s been said that “A lie gets halfway around the world before the truth can even pull its boots on.” In today’s world of online commentary and social media, this is truer than ever.

In the cyber-world, you or your company may be accused of selling defective goods, providing poor service, misleading customers, defrauding the government, or committing unethical or criminal conduct. These accusations can appear in e-mails to your clients or government enforcement agencies, as posts on blogs or company websites, or in streamed videos on social media. What’s more, they can be made or circulated by competitors or persons cloaked behind the anonymity of the internet, making it difficult (but not impossible) to hold responsible persons accountable.
As a result, internet defamation cases are on the rise. A surprise reputational attack in the cyber-world requires quick thinking and a game plan.

]]>https://www.crowelldatalaw.com/2017/09/join-us-webinar-tuesday-october-10-2017-1200-100-pm-et/feed/0https://www.crowelldatalaw.com/2017/09/join-us-webinar-tuesday-october-10-2017-1200-100-pm-et/DOJ Asks Supreme Court to Resolve Split over Its Ability to Compel Foreign Recordshttp://feeds.lexblog.com/~r/E-discoveryLawInsights/~3/U-CgX2BOYIE/
https://www.crowelldatalaw.com/2017/08/doj-asks-supreme-court-resolve-split-ability-compel-foreign-records/#respondThu, 24 Aug 2017 20:51:39 +0000https://www.crowelldatalaw.com/?p=2502U.S.-based technology companies and courts across the country have disagreed over the extraterritorial application of the Stored Communications Act in allowing U.S. law enforcement to enforce warrants to reach data stored overseas. Some courts have treated the data stored overseas as a “physical” object and, therefore, refused to extend the reach of the Act abroad. ...… Continue Reading

]]>U.S.-based technology companies and courts across the country have disagreed over the extraterritorial application of the Stored Communications Act in allowing U.S. law enforcement to enforce warrants to reach data stored overseas. Some courts have treated the data stored overseas as a “physical” object and, therefore, refused to extend the reach of the Act abroad. Other courts have found that the Act authorized a warrant for overseas data because the technology company was subject to the court’s jurisdiction and the warrant sought information from the only place the company could access it. Companies have called on Congress to help clarify the issue, and the government has also appealed to the Supreme Court to do the same.

]]>The U.S. Court of Appeals for the D.C. Circuit has now weighed in on whether plaintiffs can bring a putative class action arising from an alleged data breach in lieu of allegations of actual misuse of compromised data. Emphasizing the “low bar to establish [] standing at the pleading stage,” the D.C. Circuit reversed a ruling that the alleged theft of personally identifying policyholder information alone without any specific allegations of harm did not satisfy Article III’s standing requirements. In Attias v. CareFirst, Inc., a group of CareFirst customers alleged that a 2014 cyberattack compromised their personal information and thus increased their risk of identity theft from compromised social security numbers and financial information, and also their risk of medical identity theft from compromised health insurance subscriber ID numbers. The district court dismissed their claims, finding that the plaintiffs failed to allege “facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner.” Applying the “substantial risk” standard discussed in the Supreme Court’s Clapper v. Amnesty International and Susan B. Anthony List v. Driehaus decisions, the D.C. Circuit reversed.

The D.C. Circuit noted that identify theft is a sufficiently concrete and particularized injury for Article III purposes, so the only issue before the court was whether the allegations showed “that the plaintiffs now face a substantial risk of identity theft” as a result of the alleged breach. Echoing the Seventh Circuit’s 2015 decision addressing the Neiman Marcus data breach, the D.C. Circuit inferred that the alleged attacker(s) had the intent and ability to misuse the data because the purpose of a data breach is, presumably, to make fraudulent charges or commit identity theft. In light of this presumption, the D.C. Circuit reasoned that the alleged theft of either type of information—even before misuse—presented a substantial risk of future injury, which constituted the “actual or imminent” harm necessary for Article III standing. As to the other standing requirements, the court found the alleged harm fairly traceable to CareFirst’s alleged failure to properly secure policyholder information, and that the policyholders’ risk-mitigation expenses satisfied Article III’s redressability requirement.

The D.C. Circuit’s conclusion furthers a circuit split on standing that has deepened since the Supreme Court’s 2016 Spokeo v. Robins decision. In Spokeo, the Supreme Court noted that a bare procedural violation did not necessarily constitute “concrete” harm, and that the Ninth Circuit failed to address whether the alleged harm presented “a degree of risk sufficient to meet the concreteness requirement” of Article III. Even though Spokeo is the Supreme Court’s most recent decision regarding Article III standing, the CareFirst decision relied upon Clapper as the basis for its reversal. It should, be noted that these two cases arose from different fact patterns and addressed wholly different statutes and allegations of harm. Nonetheless, there remains disagreement over what meets Article III’s “concreteness” requirement for standing in the privacy class action realm. The D.C. Circuit’s decision seems to align with the Third, Sixth, Seventh, and Eleventh circuits, each of which has permitted consumer data breach suits on the basis of possible future misuse. The Second and Fourth circuits, however, have reached different conclusions in 2017. This split may ultimately increase potential costs of litigations if data breach plaintiffs begin concentrating class action filings in the more “friendly” jurisdictions and avoid courts that do not align with the D.C. and Seventh circuits.

]]>On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey. As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on customers’ driver’s licenses and other forms of identification. The Act addresses these new technologies by:

Restricting the type of personal information that retailers may collect and retain from consumers’ identification cards to name, address, date of birth, identification card number, and the state in which the card was issued;

Limiting the purposes for which retailers may use personal information obtained from consumer identification cards (e.g. age verification);

Requiring retailers to securely store the limited information it is permitted to retain after electronically scanning the bar codes on consumers’ identification cards; and

Prohibiting retailers from disclosing or selling such information to third parties unless otherwise permitted to do so by the statute.

The Act carries civil penalties of $2,500 for first-time offenders, $5,000 for repeat offenders. In addition, the law allows consumers to bring a private right of action against retailers in connection with violations of the statute. While retailers that simply “card” customers (e.g. manually view identification cards) are not subject to the Act, it is important to note that their data handling practices may trigger liability under other applicable state laws (e.g. data destruction laws).

The Personal Information Privacy and Protection Act, which becomes effective on October 1, 2017, represents an important step in protecting consumer information in the context of retail transactions. First, the Act’s purpose limitation and security provisions will minimize the likelihood and impact of a data breach by substantially reducing the amount of sensitive data elements that retailers collect, store, transmit to third parties, and requiring extra layers of security to protect the limited information retailers now may retain. Second, by prohibiting the unauthorized sale of consumer information for marketing, advertising, or promotional activities, the Act will give consumers more control over their personal information. As technological advances continue to impinge on the privacy rights of consumers, it is likely that other states will enact similar legislation to ensure that the use of emerging technologies does not allow businesses to capture and use consumer information in a manner that is inconsistent with the purposes for which such information was originally collected and communicated to consumers at the point of sale.

]]>Earlier this month, the Federal Bureau of Investigation (FBI) issued a public comment about privacy, cybersecurity, and safety risks associated with internet-connected toys. The FBI’s comment builds on the Federal Trade Commission’s recent amendment to the Children’s Online Privacy Protection Act (COPPA), which explicitly states that connected toys are deemed “websites or online services” subject to COPPA. In our sister blog, Retail & Consumer Products Law, our colleagues highlight the key issues associated with connected toys, protections with which smart toy manufacturers must comply under COPPA, and the potential trajectory for government enforcement efforts in the context of connected toys.